Solved

Problem adding a Server 2003 AD to an existing Server 2000 Forest

Posted on 2006-07-12
25
360 Views
Last Modified: 2012-05-05
I'm trying to add a new Windows Server 2003 server to an existing Server 2000 forest and I'm having some problems. When I attempt to run dcpromo I get the following error:

--------------------------------------------------------------
The operation failed because:

This Active Directory Installation requires domain configuration changes. Run the adprep /domainprep command on domain controller (null) to make these changes and then proceed with Active Directory insatllation.

"The server is unwilling to process the request."

--------------------------------------------------------------
The forest currently contains only one domain controller which holds all FSMO roles as well as DNS. I've run "adprep /forestprep" as well as "adprep /domainprep" on the old DC. The log file for the /forestprep shows a successful completion but the /domainprep log doesn't show a concrete end. It doesn't say success or failure, it just ends. After I ran the /forestprep I recieved a success notice at the command prompt but when I ran the /domainprep I didn't get anything, it paused for about 10 seconds and then returned to a basic prompt.

Here are the last few lines from the /domainprep log:

--------------------------------------------------------------


Adprep was about to call the following LDAP API. ldap_add_s(). The entry to add is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



LDAP API ldap_add_s() finished, return code is 0x0



Adprep successfully created the directory service object cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.



LDAP API ldap_search_s() finished, return code is 0x20



Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.

[Status/Consequence]

The operation has not run or is not currently running. It will be run next.



Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=rhi,DC=ubc.



LDAP API ldap_search_s() finished, return code is 0x0
--------------------------------------------------------------

One other detail that might have some relevance. I have two exchange servers currently running on the domain, one Exchange 2000 server (in the process of being decommisioned) and a new Exchange 2003 server which contains all active stores.
0
Comment
Question by:RHADMIN
  • 12
  • 5
  • 5
  • +1
25 Comments
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 17094817
http://support.microsoft.com/kb/278875/
have you checked for any orphaned entries for domain controllers in the domain, any that might have been removed physically but still has entries on the DC.

if yes do a metadata cleanup.
===================
support.microsoft.com/kb/216498 run the adprep again and then try promoting. if R2 use adprep from the 2 cd.

how many DC's ?
any errors reported in eventvwr ?
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17095095
We did have an old DC that was improperly demoted previously. I used adsiedit and ntdsutil to remove it completely. I removed it from DNS, Sites and Services, Users and Computers, etc. That was all done before I attempted this dcpromo. The Domain Controler container only contains the one Win2k Server DC.

So just to confirm, there is only one DC showing using ntdsutil. It holds all of the FSMO roles as well as DNS. Replication shouldn't be an issue here should it?

There are no errors showing in Event Viewer.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17095493
with windows 2003 R2 (release 2) you will need to run the adprep tools from the second cd supplied in the 2 cd set!

\CMPNENTS\R2\ADPREP


now this wasnt an imaged machine was it?
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17095503
I'll take a look Jay Jay.

This machine wasn't imaged but it may be in the future. Is there a reason not to?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17095519
unless you use sysprep with an image you will come accross problems if rolling it out to multiple machines

i had the same problem about a year ago with adprep and it was due to the SID's duplicated with an image
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17095532
It looks like we have release 1. The second disc is called "Diagnostic Tools" and doesn't have adprep on it. I've been running adprep from the main Server 2003 install disc.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17095542
ah k, so jsut normal server 2003. ok

did you have a run through the metadata cleanup?
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17095554
Yep, I ran that and the domain currently shows only one domain controller. adsiedit/users and computers also shows only one dc.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17095567
Aight, I will ask Netman66 to have a look as he has nailed these types of problems a few times
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17095613
Thanks Jay_Jay70, this is really driving me nuts.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17095622
i understand that, i think i would have gone mad and started again but there is an answer - i just don't know it!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17095924
Hi there!

OK, so it looks like the server is being stubborn.  In ADUC, right-click the original server (root server) and select Properties.  Make sure the checkbox for "Trust for delegation" is selected.  If you had to check it, then try running adprep again.

If it was already checked then in ADUC goto View>Advanced to show all the hidden folders in ADUC.  In the System>Policies folder look for the GUID on the last line of your logfile (before the tool quit).  Right-click it and select Properties>Security.  Make sure SYSTEM, Domain Admins and Enterprise Admins have minimum Read permissions.

This error normally occurs when a GPO's default Security has been changed to deny Read permissions (or remove Full Control) from one of those groups to prevent the policy from applying - this is the wrong way to do that.  Normally, those group members are not affected by policies.

Let us know.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17095930
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17100726
Ok so I'm looking at the contents of the policies folder but it seems to be empty. I checked the permissions on the policies object itself and it shows full propagation from parent. The System, Enterprise and Domain admins all have full rights.
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17101036
The Policies OU also looks empty from inside ADSI edit. I must be missing something. I'm not seeing any GUIDs at all.
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17101550
At this stage I'm strongly considering starting from scratch. Would you agree that I've more or less exhausted my options Netman66?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17101822
Well, that's certainly an issue if the policies are missing.

How many DCs do you have?  Can you check the Sysvol on each to see if any of these policies exist somewhere?

You may just need to run DCGPOFIX to recreate them - but beware if running Exchange.

Let us know.
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17104188
I found the policies in the sysvol and the one referenced at the end of the log file did indeed have insufficient rights set for the domain/enterprise admins. I corrected them and ran /domainprep again. It still doesn't seem to have run correctly.

Here's the end of the log:
----------------------------------------

Adprep checked to verify whether operation cn=0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0


Adprep checked to verify whether operation cn=a86fe12a-0f62-4e2a-b271-d27f601f8182,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0


Adprep checked to verify whether operation cn=d85c0bfd-094f-4cad-a2b5-82ac9268475d,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc has completed.
[Status/Consequence]
The operation GUID already exists so Adprep did not attempt to rerun this operation but is continuing.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x20


Adprep verified the state of operation cn=6ada9ff7-c9df-45c1-908e-9fef2fab008a,cn=Operations,cn=DomainUpdates,cn=System,DC=rhi,DC=ubc.
[Status/Consequence]
The operation has not run or is not currently running. It will be run next.


Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=rhi,DC=ubc.


LDAP API ldap_search_s() finished, return code is 0x0
----------------------------------------

As far as I can tell it didn't change anything. I'll try rebooting the server after hours tonight and run domainprep again.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17104962
No, now that the permissions are correct you may want to try DCGPOFIX again to recreate the default policies - then - retry domainprep.

0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17109651
I've been looking at DCGPOFIX, is there any concern that my established group policy might be changed when I run it?  We don't use the default GPO for anything other than password policy and setting a couple of accounts to run as service (all security settings). Based on what I've read these settings shouldn't be changed. Is that correct?

Is there any danger that other GPOs will be edited?

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17109722
Yes, this tool only affects the Default policies.

If you have GPMC, you may want to backup all your GPOs just in case.

0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17110199
Wow, the GPMC is a great tool. Thanks for the tip. I've backed up my GPOs and I'll be running DCGPOFIX tonight.
0
 
LVL 1

Author Comment

by:RHADMIN
ID: 17180245
I appologize for the delay. My time has been co-opted for another project. I'll be back to update this one in the next few days.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now